Karen Scarfone

Karen is dedicated to helping federal agencies and others communicate technical cybersecurity info to external and internal audiences. Karen founded her company on the belief that security professionals will continue to fall behind attackers until we become more adept at communication.

Karen was formerly a Senior Computer Scientist at NIST, where she developed security publications for federal agencies and the public. She holds master's degrees in computer science and technical writing, and she's worked in IT for over 30 years.

Karen Scarfone's Publications and Blog

Here are links to my online publications and blog posts! Sign up to get a weekly email update when I release a new pub or blog post.

TechTarget • 25th May 2023

Smart contract benefits and best practices for security

While smart contracts promise enormous benefits in the enterprise, they also present opportunities for cybercriminals. Explore best practices to keep them secure.

NIST • 17th May 2023

SP 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise

This publication assists organizations in managing and securing mobile devices against the ever-evolving threats. To address these threats, this publication describes technologies and strategies that can be used as countermeasures and mitigations.

TechTarget • 16th May 2023

How to build a better vulnerability management program

Let's look at how to improve your organization's vulnerability management, whether it already has a vulnerability management program or is thinking about starting one. The following five steps are key to building a better vulnerability management program.

Cybersecurity Guide • 12th May 2023

An interview with Karen Scarfone

On today’s show our guest is Karen Scarfone. She’s the principal consultant for Scarfone Cybersecurity in Clinton, Virginia. We’re going to be talking about small businesses and cybersecurity.

NIST • 3rd May 2023

SP 1800-36 (Draft), Trusted IoT Device Network-Layer Onboarding and LC Management

Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.

NIST • 25th April 2023

Implementing Data Classification Practices

The NCCoE is collaborating with technology providers to build several example data classification solutions and demonstrate their ability to meet organizational data classification needs. The project’s objective is to define product-agnostic recommended practices for defining data classification schemes and communicating them to others.

TechTarget • 19th April 2023

Top 7 Data Loss Prevention Tools for 2023

Some DLP tools encompass the entire organization -- and these are the focus of this article. First let's discuss some must-have features and capabilities. Then, take a close look at seven enterprise DLP tools for the information needed when evaluating the best product for your company's needs.

Cybersecurity Guide • 18th April 2023

NIST and small business cybersecurity

This guide provides an overview of the existing free resources and the latest programs for small business cybersecurity from NIST.

TechTarget • 17th April 2023

How to build a cybersecurity deception program

To build a cybersecurity deception program, security leaders need a thoughtful and strategic approach. Consider the following best practices.

TechTarget • 11th April 2023

Centralized vs. decentralized identity management explained

Learn about centralized vs. decentralized identity management, as well as the advantages and disadvantages of each, from two viewpoints: organizations that want to verify user identities and individuals that want to access organizations' resources and services.

Blog • 24th March 2023

Cyber Guidance for Small Businesses

How can the security community better bridge the gaps between Big Guidance and small business?

EdTech • 23rd March 2023

How to Detect and Respond to Bot Attacks in Higher Education

Bots continue to become more capable and harder to detect, so it’s more important than ever that you know how to prepare for them, spot them and stop them.

NIST • 13th March 2023

SP 800-219 Rev. 1, Automated Secure Configuration Guidance from the mSCP

This publication introduces the mSCP, describes use cases for leveraging the mSCP content, and introduces a new feature of the mSCP that allows organizations to customize security rules more easily.

TechTarget • 6th March 2023

How to create an incident response playbook

Here's a crash course in what incident response playbooks are, why they are important, how to use them and how to build them.

Blog • 5th March 2023

20 Years of Supporting NIST

This month is my 20-year anniversary of supporting NIST.

TechTarget • 24th February 2023

Centralized vs. decentralized identity management explained

Learn about centralized vs. decentralized identity management, as well as the advantages and disadvantages of each from the viewpoints of organizations and individuals.

FedTech • 9th February 2023

How IoT Can Impact Agency Security

Security measures may differ from one IoT device to another and even for a single type of device if it’s used for multiple purposes. That said, here are the high-level principles that every agency should follow.

TechTarget • 25th January 2023

How cyber deception technology strengthens enterprise security

Cyber deception technology has recently gained the spotlight as a key defensive weapon in the enterprise cybersecurity arsenal.

Blog • 15th January 2023

Belief

I thought that sharing my story might be helpful or interesting to some people who feel like I used to.

Blog • 8th January 2023

Mapping Methods

I'm crowdsourcing my quest for mapping methods.

Load More